Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANTw=MMyTEr0D=2Yv11aTJWCqy9A2VpyYtd76avDj+bmvEy8fg@mail.gmail.com>
Date: Fri, 23 Dec 2011 16:10:38 -0500
From: Michael Gilbert <michael.s.gilbert@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Status of two Linux kernel issues w/o CVE assignments

On Fri, Dec 23, 2011 at 3:52 PM, Kurt Seifried wrote:
> On 12/22/2011 09:44 AM, Moritz Muehlenhoff wrote:
>>
>> Hi,
>> there were a two Linux-related CVE requests/discussions, which
>> didn't end up in an assignment:
>>
>> 1: rose: Add length checks to CALL_REQUEST parsing
>> e0bccd315db0c2f919e7fcf9cb60db21d9986f52 in mainline
>>
>> It was decided that this should be split, but without a final
>> resulting CVE assignment:
>> http://www.openwall.com/lists/oss-security/2011/04/12/1
>
>
> Can anyone shed more light on this for me? (links to fixes/etc.?).

As stated in Moritz's original message, the linux kernel git commit id
is e0bccd315.  Here is a link directly to a message with the patch:
http://marc.info/?l=linux-netdev&m=130063972406389&w=2

>>
>> 2: /proc/$PID/{sched,schedstat} information leak
>> Vasiliy Kulikov of OpenWall posted a demo exploit.
>> http://openwall.com/lists/oss-security/2011/11/05/3
>>
>> AFAICS no CVE ID was assigned to this?
>
>
> I believe we are not assigning CVE's for these types of proc related issues,
> some discussion was had:

Infoleaks certainly do get an id as they are considered an exposure
(i.e. they make an exploiters job easier); as in Common
Vulnerabilities and Exposures (CVE):
http://cve.mitre.org

Best wishes,
Mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.